Commit graph

36 commits

Author SHA1 Message Date
raito f4588aff2b feat: listen on Gerrit events and rewrite them as generic VCS events
This introduces the private SSH key for Gerrit event streaming.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-16 01:25:53 +01:00
raito bb7d5c1c7d chore: re-encrypt rabbitmq password
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 17:25:35 +01:00
raito 47b713ca58 feat: introduce ofborg builder
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 16:51:45 +01:00
raito decc9963ee feat: add buildbot.lix.systems
This introduces a new Buildbot instance using all the previous work.

This is a "Raito's VM" hardware type.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 11:53:25 +02:00
raito 160e7c5ecb fix(secrets): rekey for buildbot.lix.systems and build02.aarch64.lix.systems
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 11:52:37 +02:00
raito 3df1697289 fix(secrets): rekey the monitoring password
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 11:28:29 +02:00
raito 92560708b8 feat: multi-tenant secrets
Lix may have its own secrets and we want to maintain a certain
generalization level on the NixOS modules, so we can decorrelate which
secret we select dynamically by having a simple tenancy hierarchy
system.

This unfortunately requires to rewrite all call sites with a floral
prefix until we migrate them to the simple internal secret module which
is aware of this.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-06 08:10:44 +00:00
raito 4749d204bf feat: add stateless-uptime-kuma-password secret
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-09-29 16:01:23 +02:00
raito 9a04ef909b feat(nixpkgs): run oxidized channel scripts
We don't need weird Perl scripts where we are going. Here's a streaming
channel-scripts deployment with plenty of bells, including OTLP.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-31 19:32:23 +02:00
Ilya K c1712dc1fa Set up tempo 2024-08-31 15:05:30 +03:00
raito 9063138156 feat(secrets): add s3 reverse proxy API keys
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-31 00:19:49 +02:00
raito ac7815321a feat(pyroscope): add secrets and storage
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-23 20:58:08 +02:00
raito bf1b8d4d19 secrets: rekey for public01 access to metrics
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-21 16:45:12 +02:00
raito 58c0dd3d2e feat(public): add listmonk instance on news.forkos.org
To prepare for public communications and updates.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-21 16:45:12 +02:00
Pierre Bourdon 5fdce0e2b5
hydra: move from bagel-box to build-coord 2024-08-16 09:03:29 +02:00
Pierre Bourdon c33326f836
hydra: switch to using mTLS instead of local peer auth 2024-08-16 08:19:18 +02:00
Pierre Bourdon 0dd333c573
postgres: add mTLS support
New client certs can be minted via the provided script, which is meant
to be run on the postgres server (where the CA private key is
conveniently deployed).
2024-08-16 07:59:12 +02:00
Pierre Bourdon 37bcb261ab
ssh-keys: add build-coord, rekey secrets 2024-08-13 22:36:30 +02:00
Ilya K f8cad42b5c Set up alertmanager-hookshot-adapter 2024-08-09 14:03:56 +00:00
raito 80c4757571 gerrit01: add a one-way-sync service
It's basic and does not handle conflicts which needs to be manually
managed.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-19 17:52:44 +02:00
raito da7175303c buildbot: add support for remote builders via baremetal machines
For now, only builder-3 is used.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-17 18:28:26 +02:00
raito a56426e6c9 secrets: rekey for new machine (buildbot)
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-17 18:00:51 +02:00
raito 7789e9ce75 services/buildbot: init
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-17 18:00:51 +02:00
Luke Granger-Brown 2b8f42dcda secrets: add gerrit-prometheus-bearer-token 2024-07-15 11:02:54 +00:00
Pierre Bourdon f74d1ca0f6
hydra: start signing paths 2024-07-10 17:34:57 +02:00
Ilya K 787b3af638 Add wob-vpn-gw key, rekey metrics push password for it 2024-07-10 15:13:05 +03:00
Pierre Bourdon afaf49eb97
secrets: rekey 2024-07-10 01:05:05 +02:00
raito 3828721e4f services/netbox: enable OIDC via Lix SSO
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-09 02:45:58 +02:00
Ilya K 563e0685d4 Metrics fixups
- fix grafana-agent config format
- rekey metrics-push-password for fodwatch
2024-07-08 10:01:25 +03:00
Ilya K 40ba3c4ae7 Prepare for remote push metrics 2024-07-08 09:33:59 +03:00
Ilya K 2441d18f17 Add Loki + Promtail setup 2024-07-05 16:10:31 +00:00
Ilya K 63b31e98cf Add Grafana/Prometheus/Mimir minimal setup
More later, Loki also later.
2024-07-05 16:10:31 +00:00
Pierre Bourdon bf8fe65f9f
bagel-box: update ssh host key & rekey 2024-07-04 13:59:18 +02:00
raito e3f3c87c0d meta01: init
Includes:

- Raito VM module
- Raito proxy aware NGINX module
- Base server module
- Sysadmin module
- New SSH keys
- Netbox module

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-01 19:40:37 +02:00
Pierre Bourdon 73aecaef41
hydra: provide S3 and SSH credentials (via agenix) 2024-06-24 20:59:19 +02:00
Pierre Bourdon 04bd33e32c
infra: add agenix, add s3 credentials 2024-06-24 18:03:20 +02:00